Who Needs a SOC™ Audit?

Reading Time: 2 minutes


There are many reasons why a service organization may decide to obtain a service audit report; here are some of the reasons we often see:

Customer requests

  • A customer requests a report because they are outsourcing a key business process and they need to understand the controls at the service bureau as part of their internal Sarbanes-Oxley (SOX) compliance program
  • Customer wants to understand outsourced controls as part of their internal vendor management/due diligence program
  • A large customer required this in their written contract (it is sometimes added when trying to make the sale)
  • The company is losing business to competitors because they don’t provide a Service Organization Control (SOC) report
  • The company realizes that they are getting audited by several companies during the year, which they could potentially eliminate with a SOC audit

Benefits of an Independent SOC 1, 2 or 3 Audit:

  • Instant credibility
  • Independent assessment of controls to give to customers annually
  • Potential to win more business (many companies require a SOC audit as a contractual obligation)
  • Reduction of third-party self-assessment questionnaires
  • One audit report to satisfy multiple customers

Examples of Organizations That Might Request a SOC Audit:

  • Cloud Hosting Service Providers
  • Technology Service Providers (TSPs)
  • Application Service Providers (ASPs)
  • Software-as-a-Service (SaaS)
  • Third-Party Administrators
  • Payroll Providers
  • Professional Employer Organizations (PEOs)
  • Collection Companies
  • Data Center and Co-lo (co-location) Services
  • Managed Service Providers
  • ACH Processors
  • Health Care Claims Processors
  • Prescription Benefit Management Service Providers (PBMs)
  • Financial Services Technology Service Providers (e.g., remote deposit capture service provider)

Services We Provide:

  • Readiness Services – Which audit is right for your customers? Do you have the right controls in place for a successful result?
  • SOC 1 and SOC 2 Audits – Either for a point in time (Type I) or covering a period of time (Type II).
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author